Set up Detekt report merging (#5452)

* Apply https://detekt.dev/docs/introduction/reporting/#kotlin-dsl to the Detekt project.

* Apply https://detekt.dev/docs/introduction/reporting/#integration-with-github-code-scanning to the Detekt project.

* Format yaml files to fix indentation levels (now all consistent)

* Replace always() with success() || failure() to exclude execution on cancellation where upload will almost surely always fail.

* Update report task documentation with examples matching recent lazy style.

* Fix a few eager task creations in Detekt's Gradle build.

* QA: Break some code

* Actually, it cannot be lazy :(

* Document how to get nice annotations on GitHub

* Run as much tasks as possible on CI.

* Revert "QA: Break some code"

This reverts commit c7293cd.

.github/workflows/deploy-snapshot.yaml

@@ -16,26 +16,26 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'detekt/detekt' && !contains(github.event.head_commit.message, 'ci skip')
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+      - name: Checkout Repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
 
-    - name: Setup Java
-      uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
-      with:
-        java-version: 17
-        distribution: 'temurin'
+      - name: Setup Java
+        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
+        with:
+          java-version: 17
+          distribution: 'temurin'
 
-    - name: Build detekt
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: build
+      - name: Build detekt
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: build
 
-    - name: Deploy Snapshot
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      env:
-        ORG_GRADLE_PROJECT_SIGNING_KEY: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }}
-        ORG_GRADLE_PROJECT_SIGNING_PWD: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }}
-        ORG_GRADLE_PROJECT_SONATYPE_USERNAME: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_USERNAME }}
-        ORG_GRADLE_PROJECT_SONATYPE_PASSWORD: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_PASSWORD }}
-      with:
-        arguments: publishAllToSonatypeSnapshot -Dsnapshot=true --stacktrace
+      - name: Deploy Snapshot
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        env:
+          ORG_GRADLE_PROJECT_SIGNING_KEY: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }}
+          ORG_GRADLE_PROJECT_SIGNING_PWD: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }}
+          ORG_GRADLE_PROJECT_SONATYPE_USERNAME: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_USERNAME }}
+          ORG_GRADLE_PROJECT_SONATYPE_PASSWORD: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_PASSWORD }}
+        with:
+          arguments: publishAllToSonatypeSnapshot -Dsnapshot=true --stacktrace

.github/workflows/detekt-with-type-resolution.yaml

@@ -40,7 +40,7 @@ jobs:
 
       - name: Upload SARIF to Github using the upload-sarif action
         uses: github/codeql-action/upload-sarif@cc7986c02bac29104a72998e67239bb5ee2ee110 # tag=v2
-        if: ${{ always() }}
+        if: success() || failure()
         with:
           sarif_file: build/detekt-report.sarif
 
@@ -49,15 +49,22 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
-
-    - name: Setup Java
-      uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
-      with:
-        java-version: 17
-        distribution: 'temurin'
-    - name: Run analysis
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: detektMain detektTest
+      - name: Checkout Repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+
+      - name: Setup Java
+        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
+        with:
+          java-version: 17
+          distribution: 'temurin'
+
+      - name: Run analysis
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: detektMain detektTest :detektReportMergeSarif --continue
+
+      - name: Upload SARIF to Github using the upload-sarif action
+        uses: github/codeql-action/upload-sarif@cc7986c02bac29104a72998e67239bb5ee2ee110 # tag=v2
+        if: success() || failure()
+        with:
+          sarif_file: build/reports/detekt/merge.sarif

.github/workflows/gradle-wrapper-validation.yml

@@ -17,5 +17,6 @@ jobs:
     steps:
       - name: Checkout latest code
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+
       - name: Validate Gradle Wrapper
         uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b # tag=v1

.github/workflows/pre-merge.yaml

@@ -29,62 +29,72 @@ jobs:
             jdk: 8
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
-    - name: Setup Java
-      uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
-      with:
-        java-version: ${{ matrix.jdk }}
-        distribution: 'temurin'
-    - name: Build detekt
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: build -x detekt
-    - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3
-      with:
-        name: heap-dump
-        path: '**.hprof'
-        if-no-files-found: ignore
-    - name: Run detekt-cli --help
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: :detekt-cli:runWithHelpFlag
-    - name: Run detekt-cli with argsfile
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: :detekt-cli:runWithArgsFile
-    - name: Try to publish to Maven Local
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: publishToMavenLocal
+      - name: Checkout Repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+
+      - name: Setup Java
+        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
+        with:
+          java-version: ${{ matrix.jdk }}
+          distribution: 'temurin'
+
+      - name: Build detekt
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: build -x detekt
+
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3
+        with:
+          name: heap-dump
+          path: '**.hprof'
+          if-no-files-found: ignore
+
+      - name: Run detekt-cli --help
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: :detekt-cli:runWithHelpFlag
+
+      - name: Run detekt-cli with argsfile
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: :detekt-cli:runWithArgsFile
+
+      - name: Try to publish to Maven Local
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: publishToMavenLocal
 
   verify-generated-config-file:
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
-    - name: Setup Java
-      uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
-      with:
-        java-version: 17
-        distribution: 'temurin'
-    - name: Verify Generated Detekt Config File
-      uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
-      with:
-        arguments: verifyGeneratorOutput
+      - name: Checkout Repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+
+      - name: Setup Java
+        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
+        with:
+          java-version: 17
+          distribution: 'temurin'
+
+      - name: Verify Generated Detekt Config File
+        uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
+        with:
+          arguments: verifyGeneratorOutput
 
   compile-test-snippets:
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+
       - name: Setup Java
         uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
         with:
           java-version: 17
           distribution: 'temurin'
+
       - name: Build and compile test snippets
         uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
         with:
@@ -96,11 +106,13 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
+
       - name: Setup Java
         uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc # tag=v3
         with:
           java-version: 17
           distribution: 'temurin'
+
       - name: Run with allWarningsAsErrors
         uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef # tag=v2
         with:

build.gradle.kts

@@ -1,12 +1,17 @@
 import io.gitlab.arturbosch.detekt.Detekt
 import io.gitlab.arturbosch.detekt.DetektCreateBaselineTask
+import io.gitlab.arturbosch.detekt.report.ReportMergeTask
 
 plugins {
     id("releasing")
     id("io.gitlab.arturbosch.detekt")
     alias(libs.plugins.gradleVersions)
 }
 
+val detektReportMergeSarif by tasks.registering(ReportMergeTask::class) {
+    output.set(rootProject.layout.buildDirectory.file("reports/detekt/merge.sarif"))
+}
+
 allprojects {
     group = "io.gitlab.arturbosch.detekt"
     version = Versions.currentOrSnapshot()
@@ -31,7 +36,7 @@ allprojects {
         detektPlugins(project(":detekt-rules-ruleauthors"))
     }
 
-    tasks.withType<Detekt>().configureEach {
+    tasks.withType<Detekt> detekt@{
         jvmTarget = "1.8"
         reports {
             xml.required.set(true)
@@ -40,14 +45,19 @@ allprojects {
             sarif.required.set(true)
             md.required.set(true)
         }
+        basePath = rootProject.projectDir.absolutePath
+        finalizedBy(detektReportMergeSarif)
+        detektReportMergeSarif.configure {
+            input.from(this@detekt.sarifReportFile)
+        }
     }
     tasks.withType<DetektCreateBaselineTask>().configureEach {
         jvmTarget = "1.8"
     }
 }
 
 subprojects {
-    tasks.withType<Test> {
+    tasks.withType<Test>().configureEach {
         predictiveSelection {
             enabled.set(System.getenv("CI") == null)
         }

detekt-parser/build.gradle.kts

@@ -13,7 +13,7 @@ dependencies {
     testImplementation(libs.assertj)
 }
 
-tasks.withType<Test> {
+tasks.withType<Test>().configureEach {
     systemProperty("kotlinVersion", getKotlinPluginVersion())
 
     doFirst {

detekt-rules-ruleauthors/build.gradle.kts

@@ -8,6 +8,6 @@ dependencies {
     testImplementation(libs.assertj)
 }
 
-tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
+tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile>().configureEach {
     kotlinOptions.freeCompilerArgs = listOf("-Xcontext-receivers")
 }

website/docs/introduction/reporting.md

@@ -87,7 +87,7 @@ run `./gradlew detekt reportMerge --continue` to execute detekt tasks and merge
 
 ### Groovy DSL
 ```groovy
-task reportMerge(type: io.gitlab.arturbosch.detekt.report.ReportMergeTask) {
+tasks.register("reportMerge", io.gitlab.arturbosch.detekt.report.ReportMergeTask) {
   output = project.layout.buildDirectory.file("reports/detekt/merge.xml") // or "reports/detekt/merge.sarif"
 }
 
@@ -98,7 +98,7 @@ subprojects {
   }
 
   plugins.withType(io.gitlab.arturbosch.detekt.DetektPlugin) {
-    tasks.withType(io.gitlab.arturbosch.detekt.Detekt) { detektTask ->
+    tasks.withType(io.gitlab.arturbosch.detekt.Detekt) { detektTask -> // Sadly it has to be eager.
       finalizedBy(reportMerge)
 
       reportMerge.configure { mergeTask ->
@@ -113,17 +113,17 @@ subprojects {
 
 ```kotlin
 val reportMerge by tasks.registering(io.gitlab.arturbosch.detekt.report.ReportMergeTask::class) { 
-  output.set(rootProject.buildDir.resolve("reports/detekt/merge.xml")) // or "reports/detekt/merge.sarif"
+  output.set(rootProject.layout.buildDirectory.file("reports/detekt/merge.xml")) // or "reports/detekt/merge.sarif"
 }
 
 subprojects {
   detekt {
     reports.xml.required.set(true)
     // reports.sarif.required.set(true)
   }
-  
-  plugins.withType(io.gitlab.arturbosch.detekt.DetektPlugin::class) {
-    tasks.withType(io.gitlab.arturbosch.detekt.Detekt::class) detekt@{
+
+  plugins.withType<io.gitlab.arturbosch.detekt.DetektPlugin> {
+    tasks.withType<io.gitlab.arturbosch.detekt.Detekt> detekt@{ // Sadly it has to be eager.
       finalizedBy(reportMerge)
 
       reportMerge.configure {
@@ -162,8 +162,14 @@ jobs:
       # Make sure we always run this upload task,
       # because the previous step may fail if there are findings.
       - name: Upload SARIF to Github using the upload-sarif action
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         if: success() || failure()
         with:
-          sarif_file: build/detekt.sarif
+          sarif_file: build/reports/detekt/detekt.sarif
+```
+
+Note: you'll have to set `Detekt.basePath` on each Detekt Gradle task,
+so that GitHub knows where the repository is to place annotations correctly.
+```gradle
+basePath = rootProject.projectDir.absolutePath
 ```